The invention concerns a method to protect an electronic data object from unauthorized access, as well as a data processing system to execute the method and a storage medium on which is stored information to execute the method on a data processing device.
In increasing measure, the increased use of electronic data objects makes intelligent mechanisms for their protection from unauthorized access necessary. Data objects can be, for example, individual files, assembled file systems of file structures that serve for the storage or filing of information. The protection of data objects is particularly important in computer-aided workstations that are used by multiple persons and on which confidential information can be accessed. Such information occurs, among other things, in medical work environments, in laboratory, research, development environments or demographically-oriented work environments. Information referring to people must be protected in particular measure.
Protective mechanisms are known that are based on the encryption of the data objects. However, the encryption and decryption takes a relatively long time, particularly for large data objects, and is not practicable within work environments that are constrained to rationalized and economic functionalities. Moreover, the appropriate handling of sufficiently secure keys for encryption systems represents a considerable expenditure. Additionally, changes to the encryption system can only be implemented directly on the database itself, while the other copies of the data objects (for example, copies that are on data media or mobile workstations) are not reached.
Moreover, the protection of data objects based on the encryption offers no protection from the deletion of data objects and allows no differentiated allocation of access rights, for example, the differentiation between read, write or delete access. Furthermore, given asymmetric encryption methods, the entire receiver circle must already be known when encrypting since the public key of each receiver must be taken into account.
The protection of data objects on operating systems is also known in which the extent of the data access is provided determined by the rights of the user logged onto the operating system. The extent of the access rights is determined via an “Access Control List” (ACL) that is associated by the operating system with each data object in the file system. In the ACL of each data object, the user-dependent access rights are specifically listed for the respective operating system.
However, the ACL is part of the operating system or file system, and not of the data objects themselves, insofar as the ACL is merely copied when copying data objects within the file system (i.e., the ACL is handed down), while it is not preserved upon copying outside of the respective file system. This is not possible due to the operating system-specific functionality of the ACL. Moreover, changes to the access rights for data objects that are present in multiple copies within the file system can likewise not be centrally implemented since they are not automatically adopted by the copies of the data objects.
Moreover, it is advantageous, for example on medical systems in a clinical environment or on personnel or financial administration systems, to not limit specific functionalities only to specific users, but rather to introduce an additional dependency on the processed data. Thus, for example, in a clinical environment, all access rights to private patient data (with the exception of a read-right) could be unlocked exclusively for head doctors, while all doctors would have full access to the data of all other patients. Further differences could be implemented for data types such as laboratory reports (to which in principle only laboratory assistants must have editing access, while other clinical personnel only require read access). Similar differentiations are also likewise reasonably used in other work environments such as banks or personnel management.
A user typically receives (user-dependent and possibly system- or domain-dependent) a combination of “Create”, “Read”, “Update” and “Delete” rights, thus standard rights. Functional rights, thus designated as an “Execute” right, are exclusively assigned within an application and by the application itself, dependent on the data type or data content. An “Execute” right determines whether a specific functionality may be executed, such as, for example, an image processing event, the annotation of a data set, a finding in an electronic patient file, etc. The user-dependent assignment of standard rights is independent of the data-dependent assignment of functional “Execute” rights. The data-dependent assignment of “Execute” rights is in turn application-dependent and can therefore be handled differently in an undesired manner by different applications in different domains.
A particular problem of conventional mechanisms for access controls is represented by copies of data objects (for example, via sending by e-mail or via transfer to portable storage media) whose existence can be controlled/monitored neither in number nor in extent. Any possibility for subsequent, central change of access rights to copies belonging together with regard to content or analogous copies or modified copies is thereby made impossible. It is not to be effected on all data objects via the conventional control mechanisms since their number and whereabouts are unknown.